©DefensiveOriginsLLCC0320.1–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
EventHandlers
WEC/WEF
EventSubscriptions
LC0320
AppliedPurpleTeaming
Infrastructure,ThreatOptics,andContinuousImprovement
June6,2020
©DefensiveOriginsLLCC0320.2–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
©DefensiveOriginsLLCC0320.3–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventForwarding(WEF)totherescue!
Configurationtellsanendpointwheretosenditslogs(Push)
OR
Configurationtellsanendpointwhoiscomingforthem(Pull)
PushedoutviaGPO
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-
forwarding-to-assist-in-intrusion-detection
What’sanAdmintodowithallthoseLogs?
©DefensiveOriginsLLCC0320.4–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventForwarding
Pushorpull-notboth
Willqueueevents(size,seenextbullet)
Clientbufferissizeofwindowseventlog
Increasebufferbybumpinglogsize
Deliverytimingoptionsareconfigurable
IPv4/IPv6ready
EncryptedviaKerberosondomain
WEFServerscanbeHA'd
DeployviaGPO
https://social.technet.microsoft.com/wiki/contents/articles/33895.windows-event-forwarding-survival-guide.aspx
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
https://github.com/nsacyber/Event-Forwarding-Guidance
Definecollectorserver[s]
Providenecessaryprivileges
Defineresourceusage(events/sec)
©DefensiveOriginsLLCC0320.5–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollectortotherescue!
Windowsremotemanagementisrequired(quickCLIconfigbelow)
winrmqc
Windowseventcollectorserviceallowscreationandmanagementofeventsubscriptions
wecutilqc
RemotesystemsmustalsosupporttheWS-Managementprotocol!
https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector
Who’sListening?TheWindowsEventCollector(WEC)
©DefensiveOriginsLLCC0320.6–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
Frequencyofconnections(Refresh)
Numberofsubscriptions
Numberofclients
Operatingsystemoftheclients
https://support.microsoft.com/en-us/help/4494356/best-practice-eventlog-forwarding-performance
LogForwardingPerformanceConsiderations
©DefensiveOriginsLLCC0320.7–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
DeliveryOptimization(SubscriptionParameter)
Normal
MinimizeBandwidth
MinimizeLatency
ResourceRestrictions
Eventspersecond
https://support.microsoft.com/en-us/help/4494356/best-practice-eventlog-forwarding-performance
LogForwardingPerformanceConsiderations
©DefensiveOriginsLLCC0320.8–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection
https://aws.amazon.com/blogs/big-data/collect-parse-transform-and-stream-windows-events-logs-and-metrics-using-amazon-kinesis-agent-for-microsoft-windows/
https://docs.aws.amazon.com/kinesis-agent-windows/latest/userguide/directory-source-to-s3-tutorial.html
Maintainsregistrystampoflastheartbeat
Nomorethan10kWEFclients
Nomorethan10kevents/sec(rememberEMR?)
MapReduceonAWS
RelativelyInexpensiveandAuto-ScalingOptionforLogIngests
AWSKinesisAgents
Amazingdatapipeliningforalmostanything
Videoanddatastreams
Metricinformation
Logsofalltypes
PictureheresourcedfromAWSKinesisarticlebelow.
©DefensiveOriginsLLCC0320.9–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection
Threeconsiderationstoachievemaximumnumbers
DiskI/Ops
Resilientnetworkinfrastructure
Registrysize(lifetimesubscriptionnumbersbelow)
>1,000subscriptionseventviewerwillslowdownnoticeably
>50,000subscriptionseventviewerisnolongeranoption(wecutil.exeinstead)
>100,000subscriptionsregistrybecomesunreadable
©DefensiveOriginsLLCC0320.10–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection
Twocommandsonthecollector.
winrmqc(remotemgmtquickconfig)
wecutilqc(eventcollectorutility)
(orpre-deploywinrmviaGPO)
©DefensiveOriginsLLCC0320.11–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection
FromtheEventViewerwindow,right(alternate)clickonSubscriptionsandclicktoCreateSubscription...
Ifprompted,asseen
here,clickYes.
©DefensiveOriginsLLCC0320.12–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
SecurityInsightBaselines–OpticsConfigurations
AuditPolicy–Whicheventsonthedomainarewegoingtocapture?
WindowsEventForwardingConfiguration
BaselineWEFconfigonallsystems
SuspectWEFconfigontargeted/highrisksystems
Subscriptionsthendefinethefollowing:
EventIDsgroupedinmeaningfulways(exampleonnextslide)wewishtocollect
Sourcecomputergroups
©DefensiveOriginsLLCC0320.13–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
EventChannels
Or,just"channels"
Eventchannel=logbucket
©DefensiveOriginsLLCC0320.14–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
GroupingeventIDsinmeaningfulways.
ThisXMLfilter,whenappliedtoasubscription:
Checkthesecuritylogsfor4728or 4732or 4756and 4735
Identifiesusersaddedtoprivilegedgroups
Calledan"XPathquery"andcanbeconstructedasacustomeventlog"view"
©DefensiveOriginsLLCC0320.15–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
SecurityInsightBaselines
Youwanteventsubscriptionxmltemplates?
TheNSAhasyoursubscriptionsXMLslinkedbelow.
AccountLockouts
ProblemswithDefender
GroupPolicyErrors
USBDrivesPluggedIn
UsersAddedtoPrivilegedGroups
ProblemswithWindowsUpdates
EachoftheseisjustanXPathquery
Palantir'sEventBaselinesareusedforAPTlab
Thisisjustabaseline.
https://github.com/palantir/windows-event-forwarding
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Subscriptions/NT6
©DefensiveOriginsLLCC0320.16–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
AuditPolicy
Microsoftrecommendsthefollowing:
Anti-Malware
ProcessCreation
RegistryChanges
OSStartup/Shutdown
ServiceInstalls
CAAuditEvents
UserProfileEvents
ServiceStart/Failure
NetworkShareEvents(sans IPC$events)
RDSSessionEvents
EMETEvents
...andsomuchmore...as a baseline...plusthe"suspectsystem/server"baselines
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-sept2019update-for-windows-10-v1903-and/ba-p/890940
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
AFewImportantEventIDs
4624and4634(Logon/Logoff)
4662(ACL’dobjectaccess-Auditreq.)
4688(processlaunchandusage)
4698and4702(tasks+XML)
4740and4625(AcctLockout+SrcIP)
5152,5154,5156,5157(FW-Noisy)
4648,4672,4673(SpecialPrivileges)
4769,4771(Kerberoasting)
5140with\\*\IPC$andsomanymore….
©DefensiveOriginsLLCC0320.17–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
AuditPolicy
YoumusthaveAuditProcessCreationauditingenabled
Youmustenablethepolicysetting:
Includecommandlineinprocesscreationevents
“WhenyouuseAdvancedAuditPolicyConfigurationsettings,youneedto
confirmthatthesesettingsarenotoverwrittenbybasicauditpolicy
settings.”(cit.*MSFT,seelinks)
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
https://github.com/MotiBa/Sysmon/
https://github.com/SwiftOnSecurity/sysmon-config
https://www.malwarearchaeology.com/cheat-sheets
https://adsecurity.org/?p=3458
http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
©DefensiveOriginsLLCC0320.18–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
AuditPolicyBaselines
Y
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
https://github.com/MotiBa/Sysmon/
https://github.com/SwiftOnSecurity/sysmon-config
https://www.malwarearchaeology.com/cheat-sheets
https://adsecurity.org/?p=3458
http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
©DefensiveOriginsLLCC0320.19–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
RECAP.
Sysmon.EnableWEC.DeployWEF.EventSubscriptions.ConfigureAuditing.
EnableWindowsCollection
Planappropriatelyforscaling
DeployWindowsEventForwardingconfiguration
UseGPOtoconfiguresecurityprivilegesforeventlogreadingbynetworkservice
AndtodefinetheWindowsEventCollector'sdestinationURL
ConfigureEventSubscriptions
GroupeventIDsinmeaningfulwaysandcreateasubscription
Plan,configure,anddeployAuditPolicies
Thisiscriticaltothesuccessofthisproject
Youcannotseethatwhichyoudonotaudit